<html>
<head><meta charset="utf-8"><title>RustSec and unsound Read · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html">RustSec and unsound Read</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="224603692"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/224603692" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#224603692">(Jan 30 2021 at 20:33)</a>:</h4>
<p>We have outstanding PRs for unsound uses of Read trait that are not fixed upstream. The PR description explains it nicely:</p>
<blockquote>
<p>As of Jan 2021, there doesn't seem to be an ideal fix that works in stable Rust with no performance overhead. Below are links to relevant discussions &amp; suggestions for the fix.</p>
<ul>
<li>
<p><a href="https://paper.dropbox.com/doc/IO-Buffer-Initialization-MvytTgjIOTNpJAS6Mvw38">Well-written document regarding the issue</a></p>
</li>
<li>
<p><a href="https://github.com/rust-lang/rfcs/blob/master/text/2930-read-buf.md#summary">Rust RFC 2930</a></p>
</li>
<li>
<p><a href="https://doc.rust-lang.org/std/io/struct.Initializer.html">nightly feature <code>std::io::Initializer</code></a></p>
</li>
<li>
<p><a href="https://internals.rust-lang.org/t/uninitialized-memory/1652">Discussion in Rust Internals Forum</a></p>
</li>
</ul>
</blockquote>
<p>I can add that <code>std::io::Initializer</code> didn't pan out - it didn't actually solve the problem, and is not being considered for stabilization. RFC 2930 supersedes it, but is not yet implemented, even in nightly.</p>



<a name="224603780"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/224603780" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#224603780">(Jan 30 2021 at 20:35)</a>:</h4>
<p>We need to decide what to do about them as far as RustSec advisories go. Should we surface this issue as a warning, as a hard error, or not at all?</p>



<a name="224619190"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/224619190" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#224619190">(Jan 31 2021 at 03:13)</a>:</h4>
<p>It should at least need a warning, because certain safe Read implementation can cause UB with them - <a href="https://github.com/rust-lang/rfcs/blob/master/text/2930-read-buf.md#but-how-bad-are-undefined-values-really">But how bad are undefined values really?</a></p>



<a name="224645806"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/224645806" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#224645806">(Jan 31 2021 at 13:52)</a>:</h4>
<p>The counterpoint to this is that while a <code>Read</code> implementation is technically allowed to read from the buffer it was given, in practice it never needs to. So for this to become a miscompilation, it requires _both_ parts to be broken.<br>
Personally I agree that this needs to be fixed and the risk is not worth the few % of performance it gets you, but I'm not sure how to make a convincing case for it.</p>



<a name="224671795"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/224671795" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#224671795">(Jan 31 2021 at 23:21)</a>:</h4>
<p>The standard library now explicitly calls out that <a href="https://doc.rust-lang.org/std/io/trait.Read.html#tymethod.read">passing uninitialized buffer to <code>read()</code> is not safe</a>, so we were relying on the authority of the stnadard library to convince people when filing a bug report to crate maintainers. Also, how likely a bug will be triggered doesn't affect the soundness of the function. That's why I thought uninit read bugs sufficiently qualify for at least <code>informational = "unsound"</code> bugs, aren't they?</p>



<a name="233830675"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/233830675" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Ammar Askar <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#233830675">(Apr 09 2021 at 14:31)</a>:</h4>
<p>Just wanted to bring this up again since this still seems to be the main type of open advisory PR. Given that this type of <code>Read</code> implementation is unlikely to be found in practice, should we just tag the advisories with <code>informational = "unsound"</code>? Or is the main reason to not pull them in because there's no good language level solution without sacrificing performance yet?</p>



<a name="233866912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/233866912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#233866912">(Apr 09 2021 at 18:09)</a>:</h4>
<p><code>informational = "unsound"</code> seems good to me, unless there is a credible threat</p>



<a name="233878756"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/233878756" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Ammar Askar <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#233878756">(Apr 09 2021 at 19:34)</a>:</h4>
<p>Yeah that seems like a reasonable approach to me as well, we'll tag as <code>unsound</code>.</p>



<a name="234100925"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20and%20unsound%20Read/near/234100925" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20and.20unsound.20Read.html#234100925">(Apr 12 2021 at 04:12)</a>:</h4>
<p>We updated previously opened PRs with <code>unsound</code> tag. Could you check the pull requests again?<br>
<a href="https://github.com/RustSec/advisory-db/pulls">https://github.com/RustSec/advisory-db/pulls</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>